Leadhound multiple vuln.

2006-04-18T00:00:00
ID SECURITYVULNS:DOC:12275
Type securityvulns
Reporter Securityvulns
Modified 2006-04-18T00:00:00

Description

Leadhound multiple vuln.

Vuln. discovered by : r0t Date: 18 april 2006 vendor:http://www.leadhoundnetwork.com/ affected versions: Leadhound "Full Remote version" & Leadhound LITE 2.1 orginal advisory: http://pridels.blogspot.com/2006/04/leadhound-multiple-vuln.html

Product info:

Secure private network - Leadhound technology is hosted in-house at

Leadhound's corporate offices. To help ensure maximum performance, a dedicated high performance 128-bit SSL secured server is included as part of the licensing agreement.

Full control over your affiliates - Each application can be reviewed for

your approval, or rejection based on criteria that you set.

Reliability - Leadhound was designed from the ground up to be fully

scalable, and serve 10,000's of affiliates. Our technology is proven, reliable, and an affordable solution.

Time to market - Save tens of thousands of Dollars in development cost,

and countless hours of programming. Our technology is blended seamlessly into your current design.

Vuln. Description:

  1. Multiple SQL injection vuln.

Leadhound contains a flaws that allows a remote sql injection attacks.Inputpassed to the "banner" "offset" "sub" "camp_id" "login" "logged" "agent_id" parameters in "agent_links.pl","agent_transactions_csv.pl","agent_transactions.pl","agent_subaffiliates.pl","agent_commission_statement.pl","agent_summary.pl","agent_camp_det.pl" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

notice: To see Wich paremeter in wich file,pleas look at examples:

/cgi-bin/agent_links.pl?login=r0t&logged= &camp_id=0&sub=&banner=[SQL]

/cgi-bin/agent_links.pl?login=r0t&logged= &camp_id=0&sub=&banner='0'&move=1&submit ted=1&offset=[SQL]

/cgi-bin/agent_transactions_csv.pl?login= r0t&logged=&camp_id=0&sub=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t& logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t& logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t& logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t& logged=&submitted=1&offset=0&sub=&camp_id=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t& logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_commission_statement.pl?log in=[SQL]

/cgi-bin/agent_commission_statement.pl?log in=r0t&logged=[SQL]

/cgi-bin/agent_commission_statement.pl?log in=r0t&logged=&agent_id=[SQL]

/cgi-bin/agent_summary.pl?login=r0t&logged =&submitted=1&offset=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged =[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged =&camp_id=[SQL]

xssxssxssxssxssxssxssxssxssxssxssxssxssxssxss

  1. Multiple XSS vuln.

Leadhound contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "login","logged","camp_id","banner","offset","date","dates","page", paremeters isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/cgi-bin/agent_affil.pl?login=[XSS]

/cgi-bin/agent_help.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=demo&log ged=[XSS]

/cgi-bin/agent_help_insert.pl?login=[XSS]

/cgi-bin/agent_help_insert.pl?login=r0t&logg ed=[XSS]

/cgi-bin/sign_out.pl?login=[XSS]

/cgi-bin/members.pl?login=[XSS]

/cgi-bin/members.pl?login=r0t&logged=[XSS]

/cgi-bin/modify_agent_1.pl?login=[XSS]

/cgi-bin/modify_agent_1.pl?login=r0t&logg ed=[XSS]

/cgi-bin/modify_agent_2.pl?login=[XSS]

/cgi-bin/modify_agent_2.pl?login=r0t&logg ed=[XSS]

/cgi-bin/modify_agent.pl?login=[XSS]

/cgi-bin/modify_agent.pl?login=r0t&logg ed=[XSS]

/cgi-bin/agent_links.pl?login=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg ed=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg ed=&camp_id=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg ed=&camp_id=0&sub=&banner=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg ed=&camp_id=0&sub=&banner='0'&move=1&s ubmitted=1&offset=[XSS]

/cgi-bin/agent_stats_pending_leads.pl? login=[XSS]

/cgi-bin/agent_logoff.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=r0t&da tes=[XSS]

/cgi-bin/agent_subaffiliates.pl?log in=[XSS]

/cgi-bin/agent_subaffiliates.pl?login =r0t&logged=[XSS]

/cgi-bin/agent_subaffiliates.pl?login= r0t&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_subaffiliates.pl?login= r0t&logged=&submitted=1&offset=0&sub=& camp_id=[XSS]

/cgi-bin/agent_subaffiliates.pl?login= r0t&logged=&submitted=1&offset=0&sub= &camp_id=0&date=[XSS]

/cgi-bin/agent_subaffiliates.pl?login= r0t&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_commission_statement.pl ?login=r0t&logged=&agent_id=[XSS]

/cgi-bin/agent_stats_pending_leads.pl? login=[XSS]

/cgi-bin/agent_stats_pending_leads.pl? login=r0t&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=[XSS] /cgi-bin/agent_transactions.pl?login=r0t &logged=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t &logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t &logged=&submitted=1&offset=0&sub=&date=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t &logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_payment_history.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l ogged=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l ogged=&submitted=1&offset=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l ogged=&submitted=1&offset=0&date=[XSS]

/cgi-bin/agent_camp_all.pl?login=[XSS]

/cgi-bin/agent_camp_all.pl?login=r0t&l ogged=[XSS]

/cgi-bin/agent_camp_new.pl?login=[XSS]

/cgi-bin/agent_camp_new.pl?login=r0t& logged=[XSS]

/cgi-bin/agent_camp_notsub.pl?log in=[XSS]

/cgi-bin/agent_camp_notsub.pl?login= r0t&logged=[XSS]

/cgi-bin/agent_campaign.pl?login=[XSS]

/cgi-bin/agent_campaign.pl?login=r0t& logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login =r0t&logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login =[XSS]

/cgi-bin/agent_stats_det.pl?login =r0t&dates=[XSS]

/cgi-bin/agent_stats_det.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=r0t& logged=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l ogged=&camp_id=2&page=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l ogged=&camp_id=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l ogged=[XSS]

/cgi-bin/agent_camp_det.pl?login=[XSS]

/cgi-bin/agent_camp_sub.pl?login=r0t&l ogged=[XSS]

/cgi-bin/agent_camp_sub.pl?login=[XSS]

/cgi-bin/agent_affil_list.pl?login=r0t& logged=[XSS]

/cgi-bin/agent_affil_list.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=r0t& logged=[XSS]

and

In lost password field enter XSS.

/cgi-bin/lost_pwd.pl [XSS]

Solution: Edit the source code to ensure that input is properly sanitised.

More information @ unsecured-systems.com/forum/